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IRONCHEF 

ANT Product Data 



(TS//SI//REL) IRONCHEF provides access persistence to target systems by 
exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to 
communicate with a hardware implant that provides two-way RF communication. 
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(TS//SI//REL) IRONCHEF Extended Concept of Operations 
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(TS//SI/REL) This technique supports the HP Proliant 380DL G5 server, onto which 
a hardware implant has been installed that communicates over the l 2 C Interface 
(WAGONBED). 

(TS//SI//REL) Through interdiction, IRONCHEF, a software CNE implant and the 
hardware implant are installed onto the system. If the software CNE implant is 
removed from the target machine, IRONCHEF is used to access the machine, 
determine the reason for removal of the software, and then reinstall the software 
from a listening post to the target system. 



Status: Ready for Immediate Delivery 
POC: S32221, | 



Unit Cost: $0 
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DEITYBOUNCE 

ANT Product Data 



(TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell 
Power Edge servers by exploiting the motherboard BIOS and utilizing System 
Management Mode (SMM) to gain periodic execution while the Operating System 
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loads. 




(TS//SI//REL) This technique supports multi-processor systems with RAID hardware 
and Microsoft Windows 2000, 2003 r and XP. ft currently targets Dell PowerEdge 
1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1,1,0, 
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1.2,0, or 1.3.7. 

(TS//SI//REL) Through remote access or interdiction, ARK STREAM is used to re- 
flash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the 
implant installer). Implantation via interdiction may be accomplished by non- 
technical operator though use of a USB thumb drive. Once implanted, 

DEITY BOUNCE’S frequency of execution (dropping the payload) is configurable and 
will occur when the target machine powers on. 



Status: Released / Deployed. Ready for Unit Cost: $0 

Immediate Delivery 



POC: 
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JETPLOW 

ANT Product Data 



(TS//SI//REL) JETPLOW is a firmware persistence implant tor Cisco PIX Series and 
ASA (Adaptive Security Appliance) firewalls, it persists DNT's 8ANANAGLEE 
software implant. JETPLOW also has a persistent back-door capability. 
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(TS^SWREL) JETPLOW Persistence tm plant Concept of Operations 



(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and 
A$A (Adaptive Security Appliance) firewalls. It persists DNT's SAN AN AG LEE 
software implant and modifies the Cisco firewall's operating system (OS) at boot 
time, if BANANAGLEE support is not available for the booting operating system, it 
can install a Persistent Backdoor (PSD) designed to work with BAN A NAG LEE’s 
communications structure, so that full access can be reacquired at a later time. 
JETPLOW works on Cisco's 500-series PIX firewalls, as well as most ASA firewalls 
(5505, 5510, 5520, 5540, 5550), 
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(TS//SI//REL) A typical JETPLOW deployment on a target firewall with an exfiltration 
path to the Remote Operations Center (ROC) is shown above, JETPLOW is 
remotely upgradeable and is also remotely installable provided BANANAGLEE is 
already on the firewall of interest. 



Status; (C//REL) Released. Has been widely deployed. Current Unit Cost: $0 
availability restricted based on OS version (inquire for details). 

POC: S32222 r ^^^^H, I 
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HALLUXWATER 

ANT Product Data 



(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a 
target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, 
the PBD installer software will find the needed patch points and install the back door 
in the inbound packet processing routine. 



G6/24JGS 



n 





Target Network 



Command, Control, and Oeta Exftltrgtion using 
DNT implant Communications Protocol (typical) 



NSA 

Remote Operations Center 



PC 



PC 



Typical Target 
Firewall or Router 
MPU / CPU 



Operating System 

System ISOS 

PCIQ 11 TEHCK 
imifiNT 

DHT >.i y l E- Jk 4 



PC 



(TSi/SIflREL) NALLUXWATER Persistence Implant Concept of Operations 



(TS//SJ//REL) Once installed, HALLUXWATER communicates with an NSA operator 
via the TURBO PANDA Insertion Tool (PIT), giving the operator covert access to 
read and write memory, execute an address, or execute a packet. 
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(TS//SI//REL) HALLUXWATER provides a persistence capability on the Eudemon 
200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS 
upgrades and automatic boot ROM upgrades. 



Status: (U//FOUO) On the sheff, and has been deployed. 
POC: S32222, | 
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FEEDTROUGH 

ANT Product Data 



(TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT's 
BANANAGLEE and CES's ZESTVLEAK used against Juniper Netscresn firewalls. 
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(S/jfSIMREL) Persistence Operational Scenario 



(T$//$i//R£L) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or 
BAN A NAGLE E across reboots and software upgrades on known and covered OS's for the 
following Netscreen firewalls, nsbxt, ns25, ns50, ns200, ns500 and ISG 1000. There is no 
direct communication to or from FEEDTROUGH, but if present, the BANANAGLEE implant 
can receive and transmit covert channel cormns, and for certain platforms, 8ANANAGLEE 
can also update FEEDTROUGH. FEEDTROUGH however can only persist OS's included 
in it's databases. Therefore this is best employed with known OS's and if a new OS comes 
out, then the customer would need to add this OS to the FEEDTROUGH database for that 
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particular firewall. 



(TS/7SI//REL) FEEDTROUGH operates every time the particular Juniper firewall boots. The 
first hook takes it to the code which checks to see if the OS is in the database, if it is, then a 
chain of events ensures the installation of either one or both implants. Otherwise the firewall 
boots normally. If the OS is one modified by DMT. it is not recognized, which gives the 
customer freedom to field new software. 



Status: (S//SI//REL) FEEDTROUGH has on the shelf solutions for all of the listed platforms. 

It has been deployed on many target platforms 

Derived From: NSAfCSSM 1-52 
Dated: 2007 010*3 
Declassify On: 20a2QlG8 
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GOURMETTROUGH 

ANT Product Data 
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(TS//SI//REL) GOURMETTROUGH is a user configurable persistence implant for 
certain Juniper firewalls. It persists DNT’s BAN A NAG LEE implant across reboots 
and OS upgrades. For some platforms, it supports a minimal implant with 
beaconing for O S's unsupported by B A N A NAGLE E. 
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{T5H5I/JREL) GOURMETTROUGH Persistence Imp] ant Concept of Operations 



(TS//SI//REL)For supported platforms, DNT may configure BANANAGLEE without 
ANT involvement, Except for limited platforms, they may also configure PBD for 
minimal implant in the case where an OS unsupported by BANANAGLEE is booted. 

Status: GOURMETTROUGH is on the shelf and has been deployed on many 
target platforms. It supports nsgSt, ns50, ns25 r isg 1000 (limited). Soon- ssgl40 P 
ssgS, ssg20 
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Unit Cost: $0 



POC: 



S32222, 



rcf'nsa.rc.aov 



Derived From:. NSJUCSSM 152 
□atsd: 2007010*3 
OEdassily On: 20320108 
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SOUFFLETROUGH 

ANT Product Data 



(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 
500 and SSG 300 series firewalls. It persists DNT's BAN A NAG LEE software 
implant. SOUFFLETROUGH also has an advanced persistent back-door capability, 
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(TS/JSIWREL) SOUFFLETROUGH Persistence Implant Concept of Operations 



(TS//5I//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 
500 and SSG 300 series firewalls {320M, 350M, 520, 550, 520M, 550M}, It persists 
DNT's BANANAGLEE software implant and modifies the Juniper firewall's operating 
system ( Scree nOS) at boot time. If BANANAGLEE support is not available for the 
booting operating system, it can install a Persistent Backdoor (PBD) designed to 
work with BAN A NAG LEE’s communications structure, so that full access can be 
reacquired at a later time. It takes advantage of Intel's System Management Mode 
for enhanced reliability and covertness. The PBD is also able to beacon home, and 
is fully configurable. 
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(TS//SI//REL) A typical SOUFFLETROUGH deployment on a target firewall with an 
exfiltration path to the Remote Operations Center (ROC) is shown above. 
SOUFFLETROUGH is remotely upgradeable and is also remotely installable 
provided BANANAGLEE is already on the firewall of interest. 



Status: (C//REL) Released. Has been deployed. There are no Unit Cost: $0 
availability restrictions preventing ongoing deployments. 

Derived From: NSAfCSSM 1-52 
Dated: 2007 oioy 
Declassify On: 20a20l08 
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HEADWATER 

ANT Product Data 



(TS//SI//REL) HEADWATER is a Persistent Backdoor (PBD) software implant for 
selected Huawei routers. The implant will enable covert functions to be remotely 
executed within the router via an Internet connection. 



QG/24JGS 







(T5//SIMREL) HEADWATER Persistence Implant Concept of Operations 



(TS//SI//REL) HEADWATER PBD implant will be transferred remotely over 
the Internet to the selected target router by Remote Operations Center 
(ROC) personnel* After the transfer process is complete, the PBD will be 
installed in the router's boot ROM via an upgrade command. The PBD will 
then be activated after a system reboot. Once activated, the ROC 
operators will be able to use DMT's HAMMERMILL Insertion Tool (HIT) to 
control the PBD as ft captures and examines all IP packets passing through 
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the host router, 



(TS//SI//REL) HEADWATER is the cover term for the PBD for Huawei 
Technologies routers. PBD has been adopted for use in the joint NSA/CIA 
effort to exploit Huawei network equipment, (The cover name for this joint 
project is TURBO PAN DA.) 



Status: (U//FOUO) On the shelf ready for deployment 
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SCHOOLMONTANA 

ANT Product Data 



{TS//SI//REL) SCHOOLMONTANA provides persistence for DNT implants. The DMT 
implant will survive an upgrade or replacement of the operating system - including 
physically replacing the router's compact flash card. 
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(SHSI/JREL) SCHOOLMONTANA Concept of Operations 

(TS//SI//REL) Currently, the intended DNT Implant to persist is 
VALIDATOR, which must be run as a user process on the target 
operating system. The vector of attack is the modification of the target's 
BIOS. The modification will add the necessary software to the BIOS and 
modify its software to execute the SCHOOLMONTANA implant at the end 
of its native System Management Mode (SMM) handler; 

(TS//SI//REL) SCHOOLMONTANA must support all modern versions of 
JUNOS, which is a version of FreeBSD customized by Juniper, Upon 
system boot, the JUNGS operating system is modified in memory to run 
the implant, and provide persistent kernel modifications to support 
implant execution. 

(TS//SV/REL) SCHOOLMONTANA is the cover term for the persistence technique 
to deploy a DNT implant to Juniper J -Series routers. 

Status: (U//FOUO) SCHOOLMONTANA completed and released by ANT May 30, 
2003. It is ready for deployment. 
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SIERRAMONTANA 

ANT Product Data 



(TS//SI//REL) SIERRAMONTANA provides persistence for DNT implants, The DNT 
implant will survive art upgrade or replacement of the operating system - including 
physically replacing the router’s compact flash card. 
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(StfSWREL) SIERRAMONTANA Concept of Operations 



(TS//SI//REL) Currently, the intended DNT Implant to persist is 
VALIDATOR, which must be run as a user process on the target 
operating system. The vector of attack is the modification of the target's 
BIOS. The modification will add the necessary software to the BIOS and 
modify its software to execute the SIERRAMONTANA implant at the end 
of its native System Management Mode (SMM) handler, 

(TS//SI//REL) SIERRAMONTANA must support all modern versions of 
JUNQS, which is a version of FreeBSD customized by Juniper. Upon 
system boot, the JUNOS operating system is modified in memory to run 
the implant, and provide persistent kernel modifications to support 
implant execution. 
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(TS//SI//REL) SIERRAMONTANA is the cover term for the persistence technique to 
deploy a DNT implant to Juniper M-Series routers. 



Unit Cost; $ 

Status; (U//FOUO) SIERRAMONTANA under development and is expected to be 
released by 30 November 2008. 



POC: U//FOUO 
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STUCCOMONTANA 

ANT Product Data 



(TS//SI//REL) STUCCOMONTANA provides persistence tor DNT imports. The 
DNT implant will survive an upgrade or replacement of the operating system - 
including physically replacing the router's compact flash card. 
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Target Network 



(SNSIttREL) STUCCOMONTANA Concept of Operations 

(TS//SI//REL) Currently, the intended DNT Implant to persist is 
VALIDATOR, which must be run as a user process on the target operating 
system. The vector of attack is the modification of the target's BIOS, The 
modification will add the necessary software to the BIOS and modify its 
software to execute the STUCCOMONTANA implant at the end of its native 
System Management Mode (5MM) handler, 

(TS//SI//REL) STUCCOMONTANA must support all modern versions of 
JUNOS, which is a version of FreeBSD customized by Juniper. Upon system 
boot, the JUNOS operating system is modified in memory to run the 
implant, and provide persistent kernel modifications to support implant 
execution. 

(TS//SI//REL) STUCCOMONTANA is the cover term for the persistence technique to 
deploy a DNT implant to Juniper T-Serees routers. 

Unit Cost: $ 

Status: (U//FOUO) STUCCOMONTANA under development and is expected to be 
released by 30 November 2008. 

POC: U//FOUO I 1 332222, Dnsa.qov 
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JETPLOW 

ANT Product Data 



(TS//SI//REL) JETPLOW is a firmware persistence implant tor Cisco PIX Series and 
ASA (Adaptive Security Appliance) firewalls, it persists DNT's 8ANANAGLEE 
software implant. JETPLOW also has a persistent back-door capability. 
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(TS^SWREL) JETPLOW Persistence tm plant Concept of Operations 



(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and 
A$A (Adaptive Security Appliance) firewalls. It persists DNT's SAN AN AG LEE 
software implant and modifies the Cisco firewall's operating system (OS) at boot 
time, if BANANAGLEE support is not available for the booting operating system, it 
can install a Persistent Backdoor (PSD) designed to work with BAN A NAG LEE’s 
communications structure, so that full access can be reacquired at a later time. 
JETPLOW works on Cisco's 500-series PIX firewalls, as well as most ASA firewalls 
(5505, 5510, 5520, 5540, 5550), 
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(TS//SI//REL) A typical JETPLOW deployment on a target firewall with an exfiltration 
path to the Remote Operations Center (ROC) is shown above, JETPLOW is 
remotely upgradeable and is also remotely installable provided BANANAGLEE is 
already on the firewall of interest. 



Status; (C//REL) Released. Has been widely deployed. Current Unit Cost: $0 
availability restricted based on OS version (inquire for details). 

POC: S32222 r ^^^^H, I 
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HALLUXWATER 

ANT Product Data 



(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a 
target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, 
the PBD installer software will find the needed patch points and install the back door 
in the inbound packet processing routine. 
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(TSi/SIflREL) NALLUXWATER Persistence Implant Concept of Operations 



(TS//SJ//REL) Once installed, HALLUXWATER communicates with an NSA operator 
via the TURBO PANDA Insertion Tool (PIT), giving the operator covert access to 
read and write memory, execute an address, or execute a packet. 
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(TS//SI//REL) HALLUXWATER provides a persistence capability on the Eudemon 
200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS 
upgrades and automatic boot ROM upgrades. 



Status: (U//FOUO) On the sheff, and has been deployed. 
POC: S32222, | 
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FEEDTROUGH 

ANT Product Data 



(TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT's 
BANANAGLEE and CES's ZESTVLEAK used against Juniper Netscresn firewalls. 
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(S/jfSIMREL) Persistence Operational Scenario 



(T$//$i//R£L) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or 
BAN A NAGLE E across reboots and software upgrades on known and covered OS's for the 
following Netscreen firewalls, nsbxt, ns25, ns50, ns200, ns500 and ISG 1000. There is no 
direct communication to or from FEEDTROUGH, but if present, the BANANAGLEE implant 
can receive and transmit covert channel cormns, and for certain platforms, 8ANANAGLEE 
can also update FEEDTROUGH. FEEDTROUGH however can only persist OS's included 
in it's databases. Therefore this is best employed with known OS's and if a new OS comes 
out, then the customer would need to add this OS to the FEEDTROUGH database for that 
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particular firewall. 



(TS/7SI//REL) FEEDTROUGH operates every time the particular Juniper firewall boots. The 
first hook takes it to the code which checks to see if the OS is in the database, if it is, then a 
chain of events ensures the installation of either one or both implants. Otherwise the firewall 
boots normally. If the OS is one modified by DMT. it is not recognized, which gives the 
customer freedom to field new software. 



Status: (S//SI//REL) FEEDTROUGH has on the shelf solutions for all of the listed platforms. 

It has been deployed on many target platforms 

Derived From: NSAfCSSM 1-52 
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ANT Product Data 
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(TS//SI//REL) GOURMETTROUGH is a user configurable persistence implant for 
certain Juniper firewalls. It persists DNT’s BAN A NAG LEE implant across reboots 
and OS upgrades. For some platforms, it supports a minimal implant with 
beaconing for O S's unsupported by B A N A NAGLE E. 
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Command. Control, and Data Exfiltratian using 
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Typical Target 
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Operating System 



{T5H5I/JREL) GOURMETTROUGH Persistence Imp] ant Concept of Operations 



(TS//SI//REL)For supported platforms, DNT may configure BANANAGLEE without 
ANT involvement, Except for limited platforms, they may also configure PBD for 
minimal implant in the case where an OS unsupported by BANANAGLEE is booted. 

Status: GOURMETTROUGH is on the shelf and has been deployed on many 
target platforms. It supports nsgSt, ns50, ns25 r isg 1000 (limited). Soon- ssgl40 P 
ssgS, ssg20 
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Unit Cost: $0 
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SOUFFLETROUGH 

ANT Product Data 



(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 
500 and SSG 300 series firewalls. It persists DNT's BAN A NAG LEE software 
implant. SOUFFLETROUGH also has an advanced persistent back-door capability, 
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(TS/JSIWREL) SOUFFLETROUGH Persistence Implant Concept of Operations 



(TS//5I//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 
500 and SSG 300 series firewalls {320M, 350M, 520, 550, 520M, 550M}, It persists 
DNT's BANANAGLEE software implant and modifies the Juniper firewall's operating 
system ( Scree nOS) at boot time. If BANANAGLEE support is not available for the 
booting operating system, it can install a Persistent Backdoor (PBD) designed to 
work with BAN A NAG LEE’s communications structure, so that full access can be 
reacquired at a later time. It takes advantage of Intel's System Management Mode 
for enhanced reliability and covertness. The PBD is also able to beacon home, and 
is fully configurable. 
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(TS//SI//REL) A typical SOUFFLETROUGH deployment on a target firewall with an 
exfiltration path to the Remote Operations Center (ROC) is shown above. 
SOUFFLETROUGH is remotely upgradeable and is also remotely installable 
provided BANANAGLEE is already on the firewall of interest. 



Status: (C//REL) Released. Has been deployed. There are no Unit Cost: $0 
availability restrictions preventing ongoing deployments. 

Derived From: NSAfCSSM 1-52 
Dated: 2007 oioy 
Declassify On: 20a20l08 
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CTX4000 

ANT Product Data 



TOP SBCRET//COMINT//REI TO USA, FVEY 



(TS//S1//REL TO USA, FVEY) The CTX4000 is a portable continuous wave (CW) 
radar unit. It can be used to illuminate a target system to recover different off net 
information. Primary uses include VAGRANT and DROPMIRE collection. 




(TS//SI//REL TO USA.FVEY) The CTX4000 provides the means to collect signals 
that otherwise would not be collectable, or would be extremely difficult to collect 
and process. It provides the following features: 

* Frequency Range: 1 - 2 GHz, 

* Bandwidth: Up to 45 MHz 

* Output Power: User adjustable up to 2 w using the internal amplifier; external 
amplifiers make it possible to go up to 1 kW, 

* Phase adjustment with front panel knob 

- User-selectable high- and low-pass filters. 

* Remote controllable 

* Outputs: 

■ Transmit antenna 



8 Jut 2008 
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* I Sl Q video outputs 

* DC bias for an external pre-amp on the Receive input connector 

* Inputs: 

- External oscillator 
• Receive antenna 



Unit Cost; N/A 

Status; unit is operational. However, it is reaching the end of its service life. It is 
scheduled to be replaced by PHOTQANGLQ starting in September 2008. 

POC: S 32 243, BHIB 
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Derived From: NSAJC5SM 1-52 
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LOUDAUTO 

ANT Product Data 



(TS//SI//REL TO USA, FVEY) Audio-based RF retro -ret lector. Provides room 
audio from targeted space using radar and basic post-processing. 



07 Apr 2009 



(U) Capabilities 

(TS//SI//REL TO USA, FVEY) LOUDAUTO s 
current design maximizes the gain of the 
microphone. This makes it extremely useful for 
picking up room audio, it can pick up speech at 
a standard, office volume from over 20' away. 

(NOTE: Concealments may reduce this distance.) 
it uses very little power (-lb uA at 3.0 vdc) f so 
little, in fact that battery self-discharge is more of 
an issue for serviceable lifetime than the power 
draw from this unit. The simplicity of the design 
allows the form factor to be tailored for specific 
operational requirements. All components at 
COTS and so are non -attributable to NSA, 

(U) Concept of Operation 

TS//SI//REL TO USA, FVEY) Room audio is picked up by the microphone and 
converted into an analog electrical signal. This signal is used to pulse position 
modulate (PPM) a square wave signal running at a pre-set frequency. This 
square wave is used to turn a FET (field effect transistor) on and off. When 
the unit is illuminated with a CW signal from a nearby radar unit, the 
illuminating signal is amplitude-modulated with the PPM square wave. This 
signal is re-radiated, where it is picked up by the radar, then processed to 
recover the room audio. Processing is currently performed by COTS 
equipment with FM demodulation capability (Rohde & Schwarz FSH-series 
portable spectrum analyzers, etc.) LOUDAUTO is part of the 
ANGRYNEIGHBOR family of radar retro -reflectors. 
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Unit Cost; $30 

Status; End processing still in development 

S32243.HHHB, I :.qcv 
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NIGHTWATCH 

ANT Product Data 



(TS//SI//REL TO USA, FVEY) NIGHTWATCH is a portable computer with 
specialized, internal hardware designed to process progressive-scan (non- 
interlaced) VAGRANT signals. 



24 Jul 2008 



(U) Capability Summary 

(TS//SI//REL TO USA.FVEY) The Current 
implementation of NIGHTWATCH consists of 
a general-purpose PC inside of a shielded 
case. The PC has PCI digitizing and clock 
cards to provide the needed interface and 
accurate docking required for video 
reconstruction. It also has: 

- horizontal $ync r vertical sync and video 
outputs to drive an external, multi sync 
monitor. 

• video input 

- spectral analysis up to ISO kHz to provide for indications of horizontal and 
vertical sync frequencies 

• frame capture and forwarding 

• PCMCIA cards for program and data storage 

• horizontal sync locking to keep the display set on the NIGHTWATCH display. 

- frame averaging up to 2 A 16 (65536) frames. 

(U) Concept of Operation 

(TS//SI//REL TO USA.fvey) The video output from an appropriate collection 
system, such as a CTX400G, PHOTOANGLO, or general-purpose receiver, is 
connected to the video input on the NIGHTWATCH system. The user, using the 
appropriate tools either within NIGHTWATCH or externally, determines the 
horizontal and vertical sync frequencies of the targeted monitor. Once the user 
matches the proper frequencies, he activates "Sync Lock 1 ' and frame averaging 
to reduce noise and improve readability of the targeted monitor. If warranted, the 
user then forwards the displayed frames over a network to NS AW, where 
analysts can look at them for intelligence purposes. 
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Unit Cost: N/A 

Status: This system has reached the end of its service life. All work concerning 
the NIGHTWATCH system is strictly for maintenance purposes, This system is 
slated to be replaced by the VIEWPLATE system. 
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PHOTOANGLO 

ANT Product Data 



(TS//SI//REL TO USA.FVEY) PHOTOANGLO is a joint IMSA/GCHQ project to 
develop a new radar system to take the place of the CTX4000. 



24 Jul 2008 



[U] Capabilities 

(TS//SI//REL TO USA, FVEY) The planned capabilities for this system are: 
•Frequency range: 1 - 2 GHz, which will be later extended to 1 - 4 GHz, 
•Maximum bandwidth: 450 MHz. 

•Size: Small enough to fit into a slim briefcase, 

•Weight: Less than 10 lbs, 

•Maximum Output Power: 2 W 
•Output: 

•Video 

•Transmit antenna 
•Inputs: 

•External oscillator 
•Receive antenna 

(U) Concept of Operation 

(TS//SI//REL TO USA, FVEY) TS//SI//REL TO USA, FVEY) The radar unit 
generates an un modulated, continuous wave (CW) signal. The oscillator is 
either generated internally, or externally through a signal generator or cavity 
oscillator. The unit amplifies the signal and sends it out to an RF connector, 
where it is directed to some form of transmission antenna (horn, parabolic dish, 
LPA, spiral). The signal illuminates the target system and is re-radiated. The 
receive antenna picks up the re-radiated signal and directs the signal to the 
receive input The signal is amplified, filtered, and mixed with the transmit 
antenna. The result is a homodyne receiver in which the RF signal is mixed 
directly to baseband, The baseband video signal is ported to an external bnc 
connector. This connects to a processing system, such as NIGHTWATCH, an 
LFS-2, or VIEWPLATE,. to process the signal and provide the intelligence. 
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Unit Cost: $40k (planned) 

Status: Development, Planned IOC is 1st QTR FYQ9. 
POC:| lS32243,| |] 
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TAWDRYYARD 

ANT Product Data 



(TS//SI//REL TO USA, FVEY) Beacon RF retro -reflector. Provides return 
when illuminated with radar to provide rough positional location. 



07 Apr 2009 



(U> Capabilities 

(TS//SI//REL TO USA, FVEY) TAWDRYYARD is 
used as a beacon, typically to assist in locating 
and identifying deployed RAGEMASTER units. 

Current design allows it to be detected and located 
quite easily within a 50' radius of the radar system 
being used to illuminate it. TAWDRYYARD draws 
as 3 pA at 2.5V (20pW) allowing a standard lithium 
coin cell to power it for months or years. The 
simplicity of the design allows the form factor to 
be tailored for specific operational requirements. 

Future capabilities being considered are return of 
GPS coordinates and a unique target identifier and 
automatic processing to scan a target area for 
presence of TAWDRYYARDs. All components are 
COTS and so are non-attributable to NSA. 

(U) Concept of Operation 

(TS//SI//REL TO USA, FVEY) The board generates a square wave operating 
at a preset frequency. This square wave is used to turn a FET (field effect 
transistor) on and off. When the unit is illuminated with a CW signal, the 
illuminating signal is amplitude-modulated (AM) with the square wave. This 
signal is re-radiated r where it is picked up by the radar, then processed to 
recover the clock signal. Typically, the fundamental: is used to indicate the 
unit’s presence, and is simply displayed on a low frequency spectrum 
analyzer. TAWDRYYARD is part of the ANGRYNEIGHBOR family of radar 
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retro -reflectors. 



Unit Cost; $30 

Status; End processing still in development 
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NIGHTSTAND 

Wireless Exploitation / Injection Tool 



(TS//SI//REL) An active 802.11 wireless exploitation and injection tool for 
payload/exploit delivery into otherwise denied target space, NIGHTSTAND is 
typically used in operations where wired access to the target is not possible. 



07/25/08 



(TS//SI//REL) NIGHTSTAND - Close Access Operations * 

Battlefield Tested - Windows Exploitation * Standalone System 

System Details 

> (U//FOUO) Standalone too! currently 
running on an x86 laptop loaded with 
Linux Fedora Core 3. 

> (TS//SI//REL) Exploitable Targets 
include Win2k 1 WinXP, WinXPSPl, 

WINXPSP2 running internet Explorer 
versions 5. 0-6.0. 

> (TS//SI//REL) NS packet injection can 
target one client or multiple targets on a 
wireless network. 

> (TS//SI//REL) Attack is undetectable by 
the user, 

NIGHTSTAND Hardware 

(TS//S1//REL) Use of external amplifiers and antennas in both 
experimental and operational scenarios have resulted in successful 
NIGHTSTAND attacks from as far away as eight miles under ideal 
environmental conditions. 

Unit Cost: Varies from platform to platform 

Status: Product has been deployed in the field. Upgrades to the system continue to 
be developed. 
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SPARROW II 

Wireless Survey - Airborne Operations - UAV 



(TS//SI//REL) An embedded computer system running BLINDDATE 
tools. Sparrow tl is a fully functional WLAN collection system with 
integrated Mini PCI slots for added functionality such as GPS and 
multiple Wireless Network Interface Cards. 



(U//FOUO) System Specs 

Processor: IBM Power PC 405GPR 
Memory: 64MB (SDRAM) 

16MB (FLASH) 

Expansion: Mini PCI (Up to 4 
devices) supports USB, Compact 
Flash, and 802.11 BIG 

OS: Linux (2.4 Kernel) 

Application SW: BL1NDDATE 

Battery Time: At least two hours 

(TS//SI//REL) The Sparrow II is a capable option for deployment where 
small size, minimal weight and reduced power consumption are required. 
PCI devices can be connected to the Sparrow El to provide additional 
functionality, such as wireless command and control or a second or third 
802.11 card. The Sparrow II is shipped with Linux and runs the 
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BLINDDATE software suite. 



Unit Cost; $6K 

Status: (S//SI//REL) Operational Restrictions exist for equipment deployment. 

S32242, | [ I 
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GINSU 

ANT Product Data 



(T5//SI//REI) G1N5U provides software application persistence for the ONE implant, 
KONG UR, on target systems with the PCI bus hardware implant, BULLDOZE R. 



06/20/08 







KONGUftrimpianfed 

Cflmpuier on Netwo<rH 'B' 




KONGUR-Impian^ed 
Compulef on Network 'A 



BULL DOZE R-ampIanled 
Computer cm Netwoik A 



{TSWSI/fREL) GINSU Extended Concept of Operations 



(TS//SI/REL) This technique supports any desktop PC system that contains at least 
one PCI connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000 . 
2003, XP. or Vista. 
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(TS//SI//REL) Through interdiction, BULLDOZER is installed in the target system as 
a PCI bus hardware implant After fielding, if KGNGUR is removed from the system 
as a result of an operating system upgrade or reinstall, GINSU can be set to trigger 
on the next reboot of the system to restore the software Implant. 



Status: Released / Deployed. Ready for Unit Cost: $0 

Immediate Delivery 
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IRATEMONK 

ANT Product Data 



(TS//SI//REL) IRATEMONK provides software application persistence on desktop 
and laptop computers by implanting the hard drive firmware to gain execution 
through Master Boot Record (MBR) substitution. 
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Targ&t 

Systems 



UNlTEDRAKE Server 



(TSWSIJJREL) JR ATE MONK Extended Concept of Operations 



(TS//SI//REL) This technique supports Systems without RAID hardware that boot 
from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives. The 
supported file systems are: FAT, NTFS, EXT3 and UFS. 
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(TS//SI//REL) Through remote access or interdiction, UNlTEDRAKE, or 
5TRA1TBAZZARE are used in conjunction with SLICKERVICAR to upload the hard 
drive firmware onto the target machine to implant IRATEMONK and its payload (the 
implant installer). Once implanted, iRATEMONK's frequency of execution (dropping 
the payload) is configurable and will occur when the target machine powers on. 



Status: Released / Deployed. Ready for Unit Cost: $0 

Immediate Delivery 
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SWAP 



ANT Product Data 



(TS//SI//REL) SWAP provides software application persistence by exploiting the 
motherboard BIOS and the hard drive's Host Protected Area to gain periodic 
execution before the Operating System loads. 



06/20/08 




(TS//S I//R E L) This technique supports single or multi-processor systems running 
Windows, Linux, FreeBSD, or Solaris with the following file systems: FAT32, NTFS, 
EXT2, EXT3, or UFS 1,0. 

(TS//SI//REL) Through remote access or interdiction, ARKSTREAM is used to re- 
flash the BIOS and TWISTEDKILT to write the Host Protected Area on the hard 
drive on a target machine in order to implant SWAP and its payload (the implant 
installer). Once implanted, SWAP’s frequency of execution (dropping the payload) is 
configurable and will occur when the target machine powers on. 



Status: Released / Deployed. Ready for 
Immediate Delivery 



POC: 
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Unit Cost: $0 
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WISTFULTOLL 

ANT Product Data 



(TS//SI//REL) WISTFULTOLL is a UNITEDRAKE and STRAITBI2ZARE plug-in 
used for harvesting and returning forensic information from a target using Windows 
Management instrumentation (WMI) calls and Registry extractions. 
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(TS/fSfWREL] WISTFULTOLL Extended Concept of Operations 



Target 

Systems 



(TS//SI//REL) This plug-in supports systems running Microsoft Windows 2000, 
2003, and XP. 
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(T5//SI//REL) Through remote access or interdiction, WISTFULLTO-LL is executed 
as either a UNITEDRAKE or STRAITBA22ARE plug-in or as a stand-alone 
executable. If used remotely, the extracted information is sent back to NSA through 
UNITEDRAKE or STRAITBAZZARE. Execution via interdiction may be 
accomplished by non-technical operator though use of a USB thumb drive, where 
extracted information will be saved to that thumb drive. 



Status: Released / Deployed. Ready for Unit Cost: $0 

Immediate Delivery 
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HOWLERMONKEY 

ANT Product Data 



(TS//SI//REL) HOWLERMONKEY is a custom Short to Medium Range Implant RF 
Transceiver, It is used in conjunction with a digital core to provide a complete 
implant 



03/05/03 



HOWLERMONKEY - 
SUTU RESAILOR 




1.23" (31,25 mm) 
K0.48" {1 2,2 mm) 



HOWLERMONKEY - YELLOWPlN 
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■' *■ *. 

\w * 




a^rivr-. I 






* * -“I 1 f: 


-j®'" 
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2" (50.8 mm) x 0.45" (11.5 mm) 



(Actual Size) 



HOWLERMONKEY - 

Front 
Back 



SUTURESAILOR 




1.20" (30.5 mm) 
x 0.23" (6 mm) 



HOWLERMONKEY - 
FIREWALK 




0,53" (16 mm) x 
0.63" (16 mm) 



(TS//SI//REL) HOWLERMONKEY is a COTS-based transceiver designed to be 
compatible with CONJECTURE/SPECULATION networks and STRIKEZONE 
devices running a HOWLERMONKEY personality. PCB layouts are tailored to 
individual implant space requirements and can vary greatly in form factor. 
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Status: Available - Delivery 3 months Unit Cost: 40 units: $750/ each 

25 units: $1,000/ each 
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JUNIORMINT 

ANT Product Data 



(TS//SI//REL) JUNIORMINT is a digital core packaged in both a mint Printed Circuit Board 
(PCB), to be used in typical concealments, and a miniaturized Flip Chip Module (FCM), to 
be used in implants with size constraining concealments. 

(TSMSI//REL) JUNIORMINT uses the TAO standard implant architecture. The architect Lire 
provides a robust, re configurable, standard digital platform resulting in a dramatic performance 
improvement over the obsolete HC12 microcontroller based designs. A mini Printed Circuit 
Board (PCB) using packaged parts will be developed and will be available as the standard 
platform for applications requiring a digital core. The ultra- miniature Flip Chip Module (FCM) 
will be available for challenging concealments. Both will contain an ARMS microcontroller, 
FPGA, Flash, SDRAM and DDR2 memories. 
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Status: Availability - mini-PC B and Dev Board by April 2009 

Availability - FCM by June 2010 Unit Cost; Available Upon Request 
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ANT Product Data 



(TS/JSIMREL) MAESTRO-1 1 is a miniaturized digital core packaged in a Multi-Chip Module 
(MCM) to be used in implants with size constraining concealments. 
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(TS//SI//REL) MAESTRO- 1 1 uses the TAO standard implant architecture. The architecture 
provides a robust, ^configurable, standard digital platform resulting in a dramatic 
performance improvement over the obsolete HC12 microcontroller based designs. A 
development Printed Circuit Board (PCB) using packaged parts has been developed and is 
available as the standard platform. The MAESTRO- 1 1 Multi -Chip- Module (MCM) contains an 
ARM / microcontroller, FPGA, Flash and SDRAM memories. 



u Con (roller 


Flash 


SDRAM 


FPGA 


ARM 7 
66 Mhz 


AT49BV322A 
4 MBytes 


MT4SLC2M32 
3 M Bytes 


XC2V500 
500k gates 



jtag *■ 

UART1 ^ 
UART2 ~ 



ARM? 

3KK0 SRAM 
A6HHJ 

AT31R4DOOS 




EB1 



*■ 



FLASH 

2M X Ifi 
AT«BV122A 




III 

Milt 
MM 
MM i 
Ml 
II )l 



P C-; 



JTAG * 
Sena - Confix ■* 




R&guiatof 

TPSmiS 



¥ 



SDR m 
7m 

(143MHz| 



■|i. hucidH Jd'irf ruadl'jDlJIn' Vi. MAI- 1 K(> 



Status: Available - On The Shelf Unit Cost: $3-4K 
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SOMBERKNAVE 

ANT Product Data 



(TS//SI//REL) SOMBERKNAVE is Windows XP wireless software implant 
that provides covert Internet connectivity for isolated targets. 
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(TS//SI//REL) SOMBERKNAVE is a software implant that surreptitiously routes 
TCP traffic from a designated process to a secondary network via an unused 
embedded 302.11 network device. If an Internet-connected wireless Access 
Point is present, SOMBERKNAVE can be used to allow OLYMPUS or 
VALIDATOR to “call home" via 802.11 from an air-gapped target computer. If 
the 802,11 interface is in use by the target, SOMBERKNAVE will not attempt 
to transmit 



(TS//SI//REL) Operationally, VALIDATOR initiates a call home. 
SOMBERKNAVE triggers from the named event and tries to associate with an 
access point If connection is successful, data is sent over 8Q2 11 to the ROC, 
VALIDATOR receives instructions, downloads OLYMPUS, then disassociates 
and gives up control of the 802.11 hardware. OLYMPUS will then be able to 
communicate with the ROC via SOMBERKNAVE, as long as there is an 
available access point. 




ROC 





Status: Available - Fall 2008 



Unit Cost: S50k 
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TRINITY 

Product Data 



(TS//SI//REL) TRINITY is a miniaturized digital core packaged in a Multi-Chip Module 
(MCM) to be used in implants with size constraining concealments. 
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(TS//SI//REL) TRINITY uses the TAO standard implant architecture. The architecture 
provides a robust, re configurable, standard digital platform resulting in a dramatic 
performance improvement over the obsolete HC12 microcontroller based designs. A 
development Printed Circuit Board (PCB) using packaged parts has been developed and is 
available as the standard platform. The TRINITY Multi -Chip-Module (MCM) contains an 
ARM 9 microcontroller, FPGA, Flash and SDRAM memories. 
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Status: Special Order due vendor selected. unit Cost: 100 units: $62SK 
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COTTONMOUTH-I 

ANT Product Data 



(TS/JSIMREL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs, 
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(TS//SI//REL) CM-I will provide air-gap bridging, software persistence capability, 'in-field" re- 
programmability, and covert communications with a host software implant over the USB, The 
RF link will enable command and data infiltration and exfiltration. CM -I will also communicate 
with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert 
channel implemented on the USB, using this communication channel to pass commands and 
data between hardware and software implants. CM-I will be a GEN IE-compliant implant 
based on CHIMNEYPOOL. 

(TS//SI//REL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and 
HOWLERMONKEY (HM) RF Transceiver within the USB Series- A cable connector, 
MOCCASIN is the version permanently connected to a USB keyboard, Another version can 
be made with an unmodified USB connector at the other end, CM-I has the ability to 
communicate to other CM devices over the RF link using an over-the-air protocol called 
SPECULATION cottqnmouth cowop 

INTERNET Scenario 



High Sh»o 



«■ ■ • i, in, m 



NT-.SIto 

L^IMUNalniii 



#> I.^araLii'-a 

Kai K-uw.iv 




tit 

till 

tltlt 

tltl 

tltli 

tit 

tl )l 



Status; Availability - January 2009 Unit Cost: 50 units: S1.015K 
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COTTONMOUTH-II 

ANT Product Data 



(TS//Si//REL) COTTONMOUTH-II (CM-II) is a Universal Serial Bus (USB) hardware Host 
Tap. which will provide a covert link over USB link into a targets network. CM-II is intended 
to be operate with a long haul relay subsystem, which is co- located within the target 
equipment. Further integration is needed to turn this capability into a deployable system. 
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(TS//SI//REL) CM-II will provide software persistence capability,, in-field" re-programmability, 
and covert communications with a host software implant over the USB. CM- SI will also 
communicate with Data Network Technologies (DNT) software (STRA3TBIZARRE) through a 
covert channel implemented on the USB, using this communication channel to pass 
commands and data between hardware and software implants, CM-II will be a GENIE- 
compliant implant based on CHIMNEYPQQL 

(TS//SI//REL) CM-II consists of the CM-I digital hardware and the long haul relay concealed 
somewhere within the target chassis. A USB 2.0 HS hub with switches is concealed in a 
dual stacked USB connector, and the two parts are hard-wired, providing a intra-chassis link. 
The long haul relay provides the wireless bridge into the target's network, 

COTTONMOUTW - 1! (CM-IIJ CONQP 
ANT covert NetworK Scenario 




lit 

IIM 

MMI 

MM 

MM> 

Ml 

M )l 



SB 

’In;: nB 1 ,: n nw fi; 

UB 



Status: Availability - September 2008 



Unit Cost: 50 units: $200 K 
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COTTONMOUTH- 



ANT Product Data 



(TS//SI//REL) COTTON MOUTH- 1 (CM-I) is a Universal Serial Bus (USB) hardware implant, 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs. 
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(TSMSI//REL} CM-! 1 1 will provide air-gap bridging, software persistence capability, ''in-field 1 " 
re- programs ability, and covert communications with a host software implant over the USB, 
The RF link will enable command and data infiltration and exfiltration. CM-ltl will also 
communicate with Data Network Technologies (DNT) software (STRAITBI2ARRE) through a 
covert channel implemented on the USB, using this communication channel to pass 
commands and data between hardware and software implants. CM- IN will be a GENIE- 
cornpliant implant based on CHIMNEYPOOL, 

(TSNSI//REL) CM-III conceals digital components (TRINITY), a USB 2,0 HS hub. switches, 
and HOWLER MON KEY (HM) RF Transceiver within a RJ45 Dual Stacked USB connector, 
CM- 1 has the ability to communicate to other CM devices over the RF link using an over-the- 
air protocol called SPECULATION. CM-III can provide a short range inter-chassis link to 
other CM devices or an intra-chassis RF link to a long haul relay subsystem, 
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Status: Availability - May 2009 

ROC: 33223. 

ALT POC: S3223, 
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Unit Cost: 50 units: 3 l, 248 K 

Derived From: NSAfCSSM 1-52 
Dated: £00701015 
DEdassily On: 20320108 
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FIREWALK 

ANT Product Data 



(TS//SI//REL) FIREWALK is a bidirectional network implant, capable of passively collecting 
Gigabit Ethernet network traffic, and actively injecting Ethernet packets onto the same 
target network. 
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(TS//SI//REL) FIREWALK is a bi-directional lO/lOO/lOOObT (Gigabit) Ethernet network 
implant residing within a dual stacked RJ45 f USB connector. FIREWALK is capable of 
filtering and egress mg network traffic over a custom RF link and injecting traffic as 
commanded; this allows a ethernet tunnel (VPN) to be created between target network and 
the ROC (or an intermediate redirector node such as DNT's DANDERSPRITZ tool.) 
FIREWALK allows active exploitation of a target network with a firewall or air gap protection. 
(TS//SI//REL) FIREWALK uses the HOWLERMONKEY transceiver for back-end 
communications. It can communicate with an LP or other compatible HOWLERMONKEY 
based ANT products to increase RF range through multiple hops. 





Legend: 

cc. - DANDERS PfltT, IP t, M At Addr 

- H M - HOWLERMONKRT 



C . P . 

Natwork 

(Internet 
- or - 
Field Net) 



- L HR a Long Haul Relay 



III 

till 

Illll 

till 

Illll 

III 

II >1 



Status: Prototype Available - August 2008 unit Cost: 50 Units $537K 
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SURLYSPAWN 

ANT Product Data 



(TS//SI//REL TO USA, FVEY) Data RF retro-reflector. Provides return 
modulated with target data (keyboard, low data rate digital device) when 
illuminated with radar. 



07 Apr 2009 



(U) Capabilities 

(TS//SI//REL TO USA, FVEY) SURLYSPAWN 
has the capability to gather keystrokes without 
requiring any software running on the targeted 
system. It also only requires that the targeted 
system be touched once. The retro-reflector is 
compatible with both USB and PS/2 keyboards. 

The simplicity of the design allows the form 
factor to be tailored for specific operational 
requirements. Future capabilities will include 
laptop keyboards, 

(U) Concept of Operation 

{TS//SI//REL TO USA, FVEY) The board taps into the data line from the 
keyboard to the processor. The board generates a square wave oscillating at 
a preset frequency. The data-line signal is used to shift the square wave 
frequency higher or lower, depending on the level of the data-line signal. The 
square wave, in essence, becomes frequency shift keyed (FSK). When the 
unit is illuminated by a CW signal from a nearby radar, the illuminating signal 
is amplitude- modulated (AM) with this square wave. The signal is re -radiated, 
where it is received by the radar, demodulated, and the demodulated signal is 
processed to recover the keystrokes, SURLYSPAWN is part of the 
ANGRYNEIGHBOR family of radar retro- reflectors. 
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Unit Cost; $30 

Status; End processing still in development 

S32243, IUHli I 
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Derived From: NSAJCSSM 1-52 
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Declassify On: 2O3201OB 





TOP SECRET//COMINT//REL TO USA, FVEY 



RAGEMASTER 

ANT Product Data 



(TS//SI//REL TO USA,. FVEY) RF retro -reflector that provides an enhanced radar 
cross-section for VAGRANT collection, It's concealed in a standard computer video 
graphics array (VGA) cable between the video card and video monitor. It's typically 
installed in the ferrite on the video cable. 



24 Jul 2008 



(U) Capabilities 

(TS//SI//REL TO USA, FVEY) RAGEMASTER provides a target for RF flooding 
and allows for easier collection of the vagrant video signal, The current 
RAGEMASTER unit taps the red video line on the VGA cable. It was found that, 
empirically, this provides the best video return and cleanest readout of the 
monitor contents. 




(U) Concept of Operation 

(TS//S3//REL TO USA, FVEY} The RAGEMASTER taps the red video line 
between the video card within the desktop unit and the computer monitor, 
typically an LCD. When the RAGEMASTER is illuminated by a radar unit, the 
illuminating signal is modulated with the red video information, This information 
is re-radiated , where it is picked up at the radar, demodulated f and passed 
onto the processing unit, such as a LFS-2 and an external monitor, 
NIGHTWATCH, GOTHAM, or (in the future) viewplate. The processor 
recreates the horizontal and vertical sync of the targeted monitor, thus allowing 
tao personnel to see what is displayed on the targeted monitor. 
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Unit Cost; $ 80 

Status; Operational. Manufactured on an as-needed basis. Contact ROC for 
availability information. 

ROC: 532243, I 
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DROPOUTJEEP 

ANT Product Data 



(TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for 
the Apple iPhone operating system and uses the CFtlMMEYPOGL framework. 
DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported 
in the TURBULENCE architecture 



10 / 01/08 




(UflFOUO) DROPOUTJEeP - Operational Schematic 



(TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that 
utilizes modular mission applications to provide specific SIGINT functionality. This 
functionality includes the ability to remotely push/puil files from the device, SMS 
retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell 
tower location, etc. Command, control, and data exfiltration can occur over SMS 
messaging or a GPRS data connection. AH communications with the implant will be 
covert and encrypted. 
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(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the 
implant via close access methods. A remote installation capability will be pursued 
for a future release. 



Unit Cost; $ 0 

Status; (U) In development 

POC: U//FOUO | |, S32222 , 1 
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GOPHERSET 

ANT Product Data 



(TS//SI//REL) GOPHERSET is a software implant lor GSM (Global System for 
Mobile communication) subscriber identify module (SIM) cards. This implant pulls 
Phonebook. SMS r and call log information from a target handset and exfiltrates it to 
a user-defined phone number via short message service (SMS). 



10 / 01/08 




[UIIFOUO) GOPHERSET - Operational Schematic 



(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface 
known as the SIM Toolkit ($TK) S The STK has a suite of proactive commands that 
allow the SIM card to issue commands and make requests to the handset. 
GOPHERSET uses STK commands to retrieve the requested information and to 
exfiltrate data via SMS. After the GOPHERSET file is compiled, the program is 
loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard 
reader or via over-the-air provisioning. In both cases, keys to the card may be 
required to install the application depending on the service provider's security 
configuration. 
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Unit Cost; $0 

Status; (U//FOUO) Released. Has not been deployed. 
ROC: U//FOUO I I 
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MONKEYCALENDAR 

ANT Product Data 



(TS//SI//REL) ■MONKEYCALENDAR is a software implant for GSM (Global System 
for Mobile communication) subscriber identify module (SIM) cards. This implant 
pulls geo location information from a target handset and exfiltrates it to a user- 
defined phone number via short message service (SMS). 




TOP SECRETHCONIINT 



(UNFOUO) MONKEYCALENDAR - Operational Schematic 



(TS//SI//REL) Modern SIM cards {Phase 2+) have an application program interface 
known as the SIM Toolkit (STK). The STK has a suite of proactive commands that 
allow the SIM card to issue commands and make requests to the handset. 
MONKEYCALENDAR uses STK commands to retrieve location information and to 



10 / 01/08 
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exfiltrate data via SMS. After the MONKEYCALENDAR file is compiled, the 
program is loaded onto the SIM card using either a Universal Serial Bus (USB) 
smartcard reader or via over-the-air provisioning. In both cases, keys to the card 
may be required to install the application depending on the service provider's 
security configuration 



Unit Cost; $0 

Status; Released, not deployed, 

POC: U//FOUQ S32222. TV 
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TOTECHASER 

ANT Product Data 



(TS//SI//REL) TOTECHASER is a Windows CE implant targeting the Thuraya 2520 
handset. The Thuraya 2520 is a dual mode phone that can operate either in SAT or 
GSM modes. The phone also supports a GPRS data connection for web browsing, 
e-mail, and MM3 messages. The initial software implant capabilities include 
providing GPS and GSM geo-location information. Call log, contact list, and other 
user information can also be retrieved from the phone. Additional capabilities are 
being investigated. 
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(UN F QUO) TOTECHASER - Operational Schematic 



(TS//SI//REL) TOTECHASER will use SMS messaging for the command, control, 
and data exfiltration path. The initial capability will use covert SMS messages to 
communicate with the handset. These covert messages can be transmitted in 
either Thuraya Satellite mode orGSMmodeand will not alert the user of this 
activity, An alternate command and control channel using the GPRS data 
connection based on the TOTEGHOSTLY implant is intended for a future version, 

(TS//SI//REL) Prior to deployment, the TOTECHASER handsets must be modified. 
Details of how the phone is modified are being developed, A remotely deployable 
TOTECHASER implant is being investigated. The TOTECHASER system consists 
of the modified target handsets and a collection system. 
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(TStfSItfREL) TOTECHASER will accept configuration parameters to determine 
how the implant operates. Configuration parameters will determine what information 
is recorded, when to collect that information, and when the information is exfritrated. 
The configuration parameters can be set upon initial deployment and updated 
remotely. 

Unit Cost: $ 



Status; 
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TOTEGHOSTLY 

ANT Product 



2.0 

Data 



(TS//S1//REL) TOTEGHOSTLY 2.0 is a STRAITBIZARRE based implant for the 
Windows Mobile embedded operating system and uses the CHIMNEYPOOL 
framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, 
therefore it is supported in the TURBULENCE architecture. 
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Target Device 



(U^FOUOy TOTEGHOSTLY - Data Plow Schematic 



(TS//SI//REL) TOTEGHOSTLY 2,0 is a software implant for the Windows Mobile 
operating system that utilizes modular mission applications to provide specific 
31GINT functionality. This functionality includes the ability to remotely push/pull files 
from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, 
camera capture, cell tower location, etc. Command, control, and data exfiltration 
can occur over SMS messaging or a GPRS data connection, A FRIEZERAMP 
interface using HTTPS Iink2 transport module handles encrypted communications. 
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(TS//SI//REL) The initial release of TOTEGHOSTLY 2,0 will focus on installing the 
implant via close access methods* A remote installation capability will be pursued 
for a future release. 



(JS//SI//REL) TOTEGHOSTLY 2.0 will be controlled using an interface tasked 
through the NCC (Network Control Center) utilizing the XML based tasking and data 
forward scheme under the TURBULENCE architecture following the TAO GENIE 
Initiative. 



Unit Cost: $0 

Status: (U) In development 



POC: U//FOUO 
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PICASSO 

GSM HANDSET 



(S//SIV/REL) Modified GSM (target) handset that collects user data, location 
information and room audio. Command and data exfil is done from a laptop and 
regular phone via SMS - (Short Messaging Service), without alerting the target. 



06 / 20/08 



[SIISl) Target Data via SMS: 

* Incoming call numbers 

* Outgoing call numbers 
•Recently registered networks 

* Recent Location Area Codes (LAC) 
•Cell power and Timing Advance 
information (GEO) 

•Recently Assigned TMSI, IMS3 
•Recent network authentication 
challenge responses 



GSM Network 




I. nnlTftJ . iffnr>»nd 



hi. i.iV VI..,. . 

Hn-l'ttii iwn 




c] ji 

Ou!^o-ng li 
L* i_ ■. 

CfJ 

Kn-m-rl 7.':',n r.r»! lUSli 

HhI'' SutOMlTv 
rKlh^Ssn K.v.'Wiiai 



III 

till 



(S//SI) PICASSO Operational Concept 



* Recent successful PINs entered into 
the phone during the power-on cycle 
*SW version of PICASSO implant 

* ! Hot-mic 1 to collect Room Audio 

* Panic Button sequence (sends location 
information to an LP Operator) 

* Send Targeting Information (i.e. 
current IMS! and phone number when it 
is turned on - in case the SIM has just 
been switched). 

•Block call to deny target service. 



(S//SI//REL) Uses include asset 
validation and tracking and target 
tempiating. Phone can be hot 
rnic'd and has a "Panic Button 11 
key sequence for the witting user. 

Status: 2 weeks ARO (10 or less) 
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(S//SI//REL) Handset 
Options 

•Eastcom 760 c+ 

•Samsung E600, X45G 
•Samsung C140 

•(with Arabic keypad/language option) 




Unit Cost: approx $2000 




POC: 



S3 2242, 
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CROSSBEAM 

ANT Product Data 



(TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial 
cellular product with a WAGONBED controller board. 
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(TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM 
communications module capable of collecting and compressing voice data. 
CROSSBEAM can receive GSM voice, record voice data, and transmit the received 
information via connected modules or 4 different GSM data modes (GPRS, Circuit 
Switched Data, Data Over Voice, and DTMF) back to a secure facility, The 
CROSSBEAM module consists of a standard ANT architecture embedded computer, 
a specialized phone component, a customized software controller suite and an 
optional DSP (ROCKYKNOB) if using Data Over Voice to transmit data. 




CROSSBEAM Voice Handling 
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Status; Limited Supply Available Unit Cost: $4k 

Delivery: 90 days for most configurations 




POC: | 
ALT POC: 



Derived From:. NSJUCSSM 1-S2 
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CANDYGRAM 



GSM Telephone Tripwire 



{S//SI//RELJ Mimics GSM cell tower of a target network. Capable of operations at 
900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM 
base station's area of influence, the system sends out an SMS through the external 
network to registered watch phones. 



06 / 20/08 




(S//SI//REL) CANDYGRAM Operational Concept 



(S//SI//REL) Typical use scenarios are asset validation, target tracking and 
identification as well as identifying hostile surveillance units with GSM handsets. 
Functionality is predicated on apriori target information. 

(S//SI//REL) System HW 



* GPS processing unit 

* Tri-band BTS radio 

* windows XP laptop and cell phone* 
*9" wide x 12 " long x 2 " deep 

* External power (9-30 VDC). 

*R emote control software can be used 
with any connected to the laptop (used 
for communicating with the 
CANDYGRAM unit through text 
messages (SMS), 



(S//S1//REL) SW Features 

* Configurable 200 phone number 
target deck. 

* Network auto- configuration 

* Area Survey Capability 

* Remote Operation Capability 

* Configurable Network emulation 

* Configurable RF power level 

* Mutli-Units under single C&C 

* Remote restart 

* Remote erasure (not field 
recoverable} 

Status: Available 8 m os ARC 
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POC: 



S32242 
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Unit Cost: approx S40K 
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CYCLONE Hx9 

Base Station Router 



(SMSI//FVEY) EGSM (9G0MGz} macro-class Network- 1 n-a-Box (NIB) system. Uses 
the existing Typhon GUI and supports the full Typhon feature base and applications. 



(S//SI//REL) Operational Restrictions > (S//5I//REL) Enclosure; 
exist for equipment deployment. * ^ S - H „ R y q n 




> (SMS IMPEL) Features; 

- EGSM 900MHz 
^Macro-class (+43dBm) 

- 32+ Km Range 

- Optional Battery Kies 

- Highly Mobile and Deployable 

- Integrated GPS, MS. & 802.11 

- Voice &. High-speed Data 

- GSM Security & Encryption 

SMS IMF? EL) Advanced Features: 

* GPS - Supporting Typlion 
applications 

* GSM Handset Module - Supports 
auto- con figuration and remote 
command and control features. 



* Approximately 8 lbs 

* Actively cooled for extreme 
environments 

> (StfSlMREL) Cyclone Hx9 System Kit: 

* Cyclone Hx9 System 

* AC/DC power converter 

* Antenna to support MS, GPS, WIFI, & 
RF 

- LAN, RF, & USB cables 

■ Pelican Case 

* (Field Kit only) Controf Laptop and 
Accessories 

r (S//SI//REL) Separately Priced Options: 

* SOD WH Lilon Battery Kit 

r (SMSI//REL) Base Station Router Platform: 

* Overlay GSM cellular communications 
supporting up to 32 Cyclone Mx9 
systems providing full mobility and 
utilizing a VoIP back-haul. 

■ GPRS data service and associated 
application 
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* 802.11 - Supports high speed 
wireless LAN remote command and 
control 

Unit Cost: $70K for two months 
Status: Just out of development, first production runs ongoing. 
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EBSR 

Low Power GSM Active Interrogator 



(S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with 
internal 8 02.11/G PS/ hand set capability. 



(S//SI//REL) Operational Restrictions > (S//SI//REL) EBSR System Kit: 
exist for equipment deployments 

* EBSR System 



01/27/09 




* AC/ DC power converter 

* Antennas to support MS, 
GPS, WIFI, & RF 

* LAN, RF r & USB cables 



> (5//5I//REL) Features: 

* LxT Model: 900/1800/1900MHZ 

* LxU Model: 850/1800/190GMHz 

* Pico-class (IWatt) Base station 

* Optional Battery Kits 

* Highly Mobile and Deployable 

* Integrated GPS, MS, & 802.11 

* Voice &. High-speed Data 

* SMS Capability 

> (S//SI//REL) Enclosure: 

* 1.9"H x S-6 h 'W x 6-3 'D 

* Approximately 3 lbs 



* Pelican Case 

* (Field Kit only) Control Laptop 
and Accessories 

^{S//Sl//REL) Separately Priced Options: 

* 90 WH Lilon Battery Kit 

^ (S//SI//REL) Base Station Router 
Platform: 

* Multiple BSR units can be 
interconnected to form a macro 
network using 802.3 and 802.11 
back-haul. 

* Supports Lands hark/Candy gram 
capabilities. 
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• Actively cooled for extreme 
environments 



Status: Unit Cost: S40K 
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ENTOURAGE 

(S//SI//REL) Direction Finding on 

HollowPoint Platform 



(S//SI//REL) Direction Finding application operating on the HOLLOWPOINT 
platform. The system is capable of providing line of bearing for GSM/UMTS/ 
CDMA2Q0O/FRS signals. A band -specific antenna and laptop controller is needed to 
compliment the HOLLOWPOINT system and completes the ground based system. 
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(S//SI//REL) HOLLOWPOINT SDR Platform and Antenna 



(S//SJ) The ENTOURAGE application leverages the 4 Software Defined Radio 
(SDR) units in the HOLLOWPOINT platform. This capability provides an "Artemis - 
like" capability for waveforms of interest (2G,3G t others). The ENTOURAGE 
application works in conjunction with the NEBULA active interrogator as part of the 
Find/Fix/Finish capabilities of the GALAXY program. 

> (S//SI//REL) Features: > (S//SI//REL) Enclosure: 



* Software Defined Radio System 

* Operating range 10MHz - 4GHz 

* 4 Receive paths, all synchronized 

* 1 Transmit path 

* DF capability on 
G5IWUMT5/CDMA20QQ/ FRS 
signals 

* Gigabit Ethernet 

* Integrated GPS 



* 1.8"H x 8,Q' r W x 8,0 n D 

* Approximately 3 lbs 

* 15 Watts 

* Passively cooled 

> (S//SI//REL) Future Developments: 

* WiM AX 

* WiFi 

* LTE 
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* Highly Mobile and Deployable 



Status: The system is in the final testing stage and Unit Cost: S70K 
will be in production Spring 09. 
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GENESIS 



Covert S1GINT Transceiver 



(S//5WREL) Commercial GSM handset that has been modified to include a 
Software Defined Radio (SDR) and additional system memory. The internal SDR 
allows a witting user to covertly perform network surveys, record RF spectrum, or 
perform handset location in hostile environments. 
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(S//SI//REL) GENESIS Handset 

(S//SI//REL) The GENESIS systems are designed to support covert operations in 
hostile environments. A witting user would be able to survey the local environment 
with the spectrum analyzer tool, select spectrum of interest to record! and download 
the spectrum information via the integrated Ethernet to a laptop con trot ter. The 
GENESIS system could also be used, in conjunction with an active interrogator, as the 
finishing tool when performing Find/Fix/Finish operations in unconventional 
environments, 

> (S//S1//REL) Features: > (S//SI//REL) Future Enhancements: 



* Concealed SDR with Handset 
Menu Interface 

* Spectrum Analyzer Capability 

* Find/Fix/Finish Capability 

* integrated Ethernet 

* External Antenna Port 

* Internal 16 GB of storage 

* Multiple Integrated Antennas 

Status: Current GENESIS platform available. 
Future platforms available when developments are 
completed, 

PGC: f S 32242 



* 3G Handset Host Platform 

* Additional Host Platforms 

* Increased Memory Capacity 

* Additional Find/ Fix/Finish 
Capabilities 

* Active Interrogation Capabilities 



Unit Cost: $15K 
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NEBULA 

Base Station Router 



(S//SI//FVEY) Mufti- Proto col macro -class Network-ln-a-Box (NIB) system. 
Leverages the existing Typhon GUJ and supports GSM, UMTS, CDMA2000 
applications. LTE capability currently under development. 

(SWSI//REL) Operational * (SWSI//REL) Enclosure: 

Restrictions exist for equipment * 8.5"H x 13-Q"W x 16 s d 

deploy ITI ent. * Approximately 45 lbs 
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> (S//SI//REL) Features; 

* Dual Carrier System 

* EG5M 900MHz 

* UMTS 2100MHz 

* CDMA 2000 1900MHz 

* Macro-class Base station 

* Optional Battery Kits 

* Highly Mobile and Deployable 

* Integrated GP$ r MS, & 802,11 

* Voice & High-speed Data 
*"(SJJSI//REL} Advanced Features: 



* Actively cooled for extreme 
environments 

> (S//SI//REL) NEBULA System Kit: 

* NEBULA System 



* 3 interchangeable RF bands 

* A C/DC power converter 

* Antenna to support MS, GPS. 

WIFI, & RP 

* LAN, RP, & USB cables 

* Pelican Case 

* (Field Kit only) Control Laptop 
and Accessories 

^{$//SI//REL) Separately Priced Options: 

* 1500 WH Li Eon Banery Kit 

r (S//SI//REL) Base Station Router Platform: 

* Multiple B SR units can be 
interconnected to form a macro network 
using 802.3 and 802.11 back-haul. 
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* GPS - Supporting NEBULA 
applications 



* Future GPRS and HSDRA data 
service and associated applications 



* Designed to be self-configuring 
with security and encryption features 



* 802.11 - Supports high speed 
wireless LAN remote command and 
control 



Status: 



Unit Cost: $250K 
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POC: 



SECRET//COMINT//REL TO USA, FVEY 



Derived Fiorti: NSAJCSSM 1-52 
Dated : 2 C 07 Q 10 B 
Declassify On: 20320105 




SECRET//COMINT//REL TO USA, FVEY 




TYPHON HX 

GSM Base Station Router 



(S//Si//FVEY) Base Station Router - Network- In -a- Box (NIB) supporting GSM 

bands 850/900/1800/1900 and associated full GSM signaling and call control. 
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Typhon Hx BSR 



(S//SI//FVEY) Tactical SIGINT elements 
use this equipment to find t fix and finish 
targeted handset users. 

(S//SI) Target GSM handset registers with 
BSR unit. 

(S//SI) Operators are able to geolocate 
registered handsets, capturing the user. 



(S//S1//REL) The macro-class Typhon is a Network-ln-a- 
Box (NIB), which includes all the necessary architecture to 
support Mobile Station call processing and SMS 
messaging in a stand-alone chassis with a pre- 
provisioning capability, 

(S//SI//REL) The Typhon system kit includes the amplified 
Typhon system, OAM&P Laptop, cables, antennas and 
AC/DC power supply, 

(U//FQUO) An 800 WH Li ton Battery kit is offered 
separately* 

(U) A bracket and mounting kit are available upon 
request. 
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(U) Status: Available 4 mos ARO 

(Sf/SIHREL) Operational Restrictions 
exist for equipment deployment. 
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WATERWITCH 

Handheld Finishing Tool 



(S//SI) Hand held finishing tool used for geolocating targeted handsets 
in the field. 
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(S//SI) Features: 

• Split display/controller for 
flexible deployment 
capability 

• External antenna for DFing 
target; internal antenna for 
communication with active 
interrogator 

•Multiple technology 
capability based on SDR tswsi) waterwitch Handset df set 

Platform; currently UMTS, with GSM and CDMA2000 under 
development 

• Approximate size 3" x 7.5” x 1.25" (radio), 2.5” x 5" x 0.75” 
(display); radio shrink in planning stages 

• Display uses E-lnk technology for low light emissions 

(S//SI) Tactical Operators use WATERWITCH to locate 
handsets (last mile) where handset is connected to Typhon or 
similar equipment interrogator. WATERWITCH emits tone and 
gives signal strength of target handset. Directional antenna on 
unit allows operator to locate specific handset. 
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Status; Under Development. Available FY-2008 Unit Cost: 
LRIP Production due August 2008 
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